Facebook rewards researcher for uncovering major hole in its code

14 Feb 2015

Facebook rewarded Indian researcher Laxman Muthiyah for uncovering a major hole in the social network's code.

Facebook patched the serious hole that allowed anyone to delete any user's photos with the use of only four lines of code.

According to a blog post on 7Xter by Muthiyah, who discovered the hole, he could delete any photo album in just seconds using the code.

Muthiyah reported the hole to the social network, which immediately patched it up. Muthiyah won $12,500 for discovering and reporting the bug. He added he was playing around with the social network's Graph API and wondered what would happen if someone's photos were deleted without their knowledge.

''Obviously that's very disgusting isn't it,'' he wrote in his blog post.

The cyber-security researcher made it sound ridiculously easy to delete anyone's photo albums from Facebook. He tried it using a ''Facebook for mobile access token.''

This method offered a delete choice for all of the photo albums that had been loaded into Facebook's mobile app.

Furthermore, he said it  used the same API as Graph. He picked up a photo album ID and a token for Facebook for Android and successfully deleted photos, Muthiyah added.